<div dir="ltr">Hi Alex,<div><br></div><div>Thanks for going through several steps to help mitigate src port exhaustion. We are looking to achieve 400-500% more concurrent connections if we could :) as there is a significant buffer on the available CPU. </div><div>The option to use multiple tcp_outoing_addresses appears to be promising along with some tweaks to the TCP timeouts. I guess we could use ACLs to pick a different outbound IP based on the requesting client's prefix. We had not considered that option as the ephemeral ports were no longer available to other applications when squid uses most of them with a single outbound IP configured. We are also looking to modify the code to use the IP_BIND_ADDRESS_NO_PORT sockopt as that could help delay port assignment with the bind() call on the outbound TCP sessions (to hopefully allow access to the 4-tuple on the socket).</div><div>Thanks</div><div>Praveen</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, May 19, 2022 at 7:18 PM Alex Rousskov <<a href="mailto:rousskov@measurement-factory.com">rousskov@measurement-factory.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 5/19/22 20:22, Praveen Ponakanti wrote:<br>
<br>
> Does anyone have recommendations on scaling concurrent connections <br>
> through the squid proxy to above the ephemeral port range?<br>
<br>
I know of several solutions, but not all of them are probably applicable <br>
to your specific situation:<br>
<br>
1. Decrease the amount of time closed TCP connections occupy the port. <br>
For example, if you have many connections in TIME_WAIT state, and can <br>
afford to lower that state duration, it may help free ports faster.<br>
<br>
2. If outgoing connections are closed faster (i.e. after fewer requests) <br>
than they should be, then fix that problem to increase connection reuse <br>
(and, hence, decrease port pressure). This solution is usually <br>
applicable to environments where you control both ends of the connection <br>
and see some premature closures.<br>
<br>
3. Use more outgoing IP addresses. Without modifications, Squid would <br>
not automatically pick the next outgoing IP address after using up most <br>
of the ports on the previous one, but perhaps the OS would do the right <br>
thing _for_ Squid? Not sure. You can use tcp_outgoing_address with <br>
random ACLs to force-spread the load across multiple IPs (and, hence, <br>
multiple port banks). This does not work if you must use a single <br>
outgoing IP for some reason.<br>
<br>
4. Modify Squid to retry port binding errors. This is easy to do but <br>
(without #5 below) it will not help much once ephemeral ports become <br>
scarce (in my experience; I have not checked what the latest kernels are <br>
capable of in this area).<br>
<br>
5. If you need, say, 20-30% more concurrency (rather than 100+%) and <br>
cannot use multiple outbound IP addresses, then would be possible to <br>
modify Squid to implement a manual port allocation algorithm that <br>
usually works a lot more reliable under load than ephemeral ports <br>
administered by the OS (last time I checked, which was a few years ago). <br>
You will still be bound by the TCP limit of 64K ports (minus whatever <br>
you want to leave for other applications that open outgoing connections) <br>
and various TCP-level timeouts, of course, but the number of cases where <br>
Squid cannot open a port because of OS port mismanagement will go down.<br>
<br>
FWIW, we successfully use solutions 3, 4, and 5 in Web Polygraph <br>
benchmark (that can be configured to create lots of outgoing connections).<br>
<br>
<br>
> I have squid v5.5 on Ubuntu with about 48K ephemeral ports available <br>
> with the ip_local_port_range. The squid is bound to listen on port 3128 <br>
> and has a single tcp_outgoing_address configured. We notice that after <br>
> about 40-45k concurrent connections through the proxy it is unable to <br>
> reuse ports and it severely limits local ports available to other <br>
> applications running on the system. The squid is setup to run 30 <br>
> workers; total CPU is still under 10% during peak connection rates.<br>
> <br>
> <br>
> Is any build config flag required to enable SO_REUSEPORT or SO_REUSEADDR <br>
> on the outbound TCP sessions opened by squid?<br>
<br>
Squid can be configured to use SO_REUSEPORT on _incoming_ connections <br>
(see *_port worker-queues), but that is not what you are asking about. <br>
Outside of that worker-queues feature, Squid will not set SO_REUSEPORT <br>
AFAICT.<br>
<br>
Squid does set SO_REUSEADDR unless you use the -R command line option <br>
AFAICT.<br>
<br>
<br>
> It does not appear that there is an option to use the <br>
> IP_BIND_ADDRESS_NO_PORT sockopt flag which can help with ephemeral port <br>
> reuse.<br>
<br>
No.<br>
<br>
<br>
> We have tried enabling tcp_tw_reuse, ip_autobind_reuse and <br>
> ip_nonlocal_bind flags, but unable to get the system reuse the ephemeral <br>
> ports. The fs.file-max is set to 4M. Pasted some errors below. Any <br>
> suggestions are appreciated!<br>
<br>
<br>
HTH,<br>
<br>
Alex.<br>
<br>
<br>
<br>
> 2022/05/19 23:35:00 kid12| commBind Cannot bind socket FD 3075 to <br>
> </IP/>: (99) Cannot assign requested address<br>
> <br>
> current master transaction: master48536607<br>
> <br>
> 2022/05/19 23:35:00 kid23| commBind Cannot bind socket FD 1320 to <br>
> </IP/>: (99) Cannot assign requested address<br>
> <br>
> current master transaction: master26662366<br>
> <br>
> <br>
> 2022/05/19 23:37:30 kid13| commBind Cannot bind socket FD 3346 to <br>
> </IP/>: (98) Address already in use<br>
> <br>
> current master transaction: master11976056<br>
> <br>
> 2022/05/19 23:37:30 kid12| commBind Cannot bind socket FD 6459 to <br>
> </IP/>: (98) Address already in use<br>
> <br>
> current master transaction: master48561031<br>
> <br>
> <br>
> While the system is in this state, local curl’s to another endpoint on <br>
> the same node are not able to obtain a TCP socket.<br>
> <br>
> <br>
> curl: (7) Couldn't connect to server<br>
> <br>
> <br>
> _______________________________________________<br>
> squid-users mailing list<br>
> <a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
> <a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div>